1 / 46

HP World 2005 Securing your Unix environment with HP Secure Shell

HP World 2005 Securing your Unix environment with HP Secure Shell. Steven E Protter Senior Systems Administrator I.S.N. Corporation. Secure Shell Presentation Outline 1. Presenter information Qualifications and experience. Warning !! How he got here. What is HP Secure Shell Advantages

liberty
Download Presentation

HP World 2005 Securing your Unix environment with HP Secure Shell

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HP World 2005 Securing your Unix environment with HP Secure Shell Steven E Protter Senior Systems Administrator I.S.N. Corporation

  2. Secure Shell Presentation Outline 1 • Presenter information • Qualifications and experience. • Warning !! • How he got here. • What is HP Secure Shell • Advantages • Challenges • Components

  3. Secure Shell Presentation Outline 2 • Where do I get HP Secure Shell • How do I install HP Secure Shell • Why should I use HP Secure Shell

  4. Secure Shell Presentation Outline 3 • Step by step for installation and exchange of public keys. • Downloading the software. • Installation. • Exchanging public keys. • Questions and (hopefully) answers

  5. Getting Started

  6. 10 years of systems administration work on HP-UX 10.20, 11 and 11i v1 Actual Experience with a disaster involving major loss of data. Five years of experience as a Linux administrator HP-UX CSA (Can pass a multiple choice examination) Two major Unix OS/Hardware conversions. Qualifications and Experience 1

  7. 14 ½ Years @ the Jewish United Fund Experience as a programmer. Systems Analyst Software AG and Oracle DBA HP-UX Administrator Married 10 years to a Russian American Recently moved to Israel Qualifications and Experience 2

  8. Warning! Try this at your shop! • I do not have complete knowledge on topic • Nobody can, its two complex. • Have made this work in a mixed HP-UX/Linux environment. • Can only understand Russian accented English. • This is something you want to try at home.

  9. How Steve Protter Got here • Found a call for presentations at http://forums.itrc.hp.com • Sent in two suggestions • Both were accepted • Flew from Tel Aviv to Newark, NJ • Drove from Connecticut to San Francisco • Made several consulting stops in route

  10. What is HP Secure Shell? • Hewlett-Packard’s port of openssh • Open source product • More information @ http://www.openssh.org

  11. More Information

  12. Advantages of HP Secure Shell? • Hewlett-Packard’s Port of openssh • Some bugs were fixed prior to HP release. • Released in depot format • Port insures smooth operation with HP-UX • Replaces insecure products such as rsh and remesh • Session and passwords are encrypted

  13. Challenges of HP Secure Shell? • Sometimes you have to wait for it. • The environment is slightly different than what it replaces. • You can not completely remove the old protocols and still do Ignite Imaging. • To be announced.

  14. Secure Shell Components 1 • ssh: Secure Shell • Replaces rsh, rexec, remesh, telnet • sftp: Secure file transfer protocol • Common command set with ftp • Knows the difference between binary and ascii files • No mput • Scriptable

  15. Secure Shell Components 2 • scp: Secure copy • Replaces rcp • Can copy large file systems • Makes my life easier

  16. How to get HP Secure Shell • Core OS: It is/may be an install option • Application CD: Released every 6 months • http://www.hp.com/go/software

  17. http://www.hp.com/go/software

  18. http://www.hp.com/go/software

  19. How to get HP Secure Shell

  20. How to get HP Secure Shell

  21. How to get HP Secure Shell

  22. How to get HP Secure Shell

  23. How to get HP Secure Shell • Use sftp to copy it to HP-9000 server or use a web browser on the box for download. • Wed Jun 1 16:37:46 2005:/home/secsh • [8460#] ll • total 16420 • -rw-r--r-- 1 root sys 8407040 Jun 1 23:48 T1471AA_A.04.00.000_HP-UX_B.11.11_32+64.depot

  24. Before you install • Read the installation instructions • Not because you don’t know how to swinstall. • Because there may be patch recommendations and other helpful information.

  25. Patches • 11i version 1 patches • Pam patch: PHCO_30402 • OS patch: PHCO_26466 swlist –l product | grep PHCO_30402 swlist –l product | grep PHCO_26466 • Why? It may still install but give trouble later.

  26. How to install HP Secure Shell swinstall -s /home/secsh/T1471AA_A.04.00.000_HP-UX_B.11.11_32+64.depot \*

  27. “The command line is the Systems Administrators best friend.” Steven E Protter Senior Systems Administrator ISN Corporation

  28. “Because someday it may be all you have.” Steven E Protter Senior Systems Administrator ISN Corporation

  29. Situations with no GUI tools: • Single User Mode (hpux –is) • LM mode (hpux –lm)

  30. Public Key Exchange • Advantages: • Ease of administration • More secure than typing passwords • You don’t have to remember passwords • Works over multiple operating systems

  31. Public Key Exchange • Challenges: • You may someday boot the wrong system • If a root password is compromised on one system root access is granted on all systems with public key exchange.

  32. Public Key Exchange • Tricks (ways to stay out of trouble): • Change the prompt to include system name • Set terminal color in the environment profile

  33. Public Key Exchange: Change prompt • PS1= [8476#] echo ${PS1} Wed Jun 1 16:37:46 2005:$PWD [!#] In /etc/profile ENV=/.kshrc

  34. Public Key Exchange: Change prompt vi /.kshrc PS1=`date -u +%c `:`echo $LOGNAME@``hostname`‘ $PWD [!#] '

  35. Public Key Exchange: Change prompt • A prompt that lets you know where you are Thu Jun 2 13:50:10 2005:root@eilat /root/ [1158#]

  36. Public Key Exchange: Generate keys ssh-keygen -t dsa. Press <ENTER> for the next 3 questions This creates a directory called .ssh cd .ssh

  37. Public Key Exchange ls –la -rw------- 1 root sys 668 Jun 2 09:03 id_dsa -rw-r----- 1 root sys 600 Jun 2 09:03 id_dsa.pub cat id_dsa.pub (just taking a look)

  38. Public Key Exchange: Home directory permissions [1168#] env | grep HOME HOME=/root/ Thu Jun 2 13:50:10 2005:root@eilat /root/.ssh [1169#] chmod 755 $HOME Thu Jun 2 13:50:10 2005:root@eilat /root/.ssh

  39. Public Key Exchange: Host setup ssh hpweb The authenticity of host 'hpweb (192.168.0.70)' can't be established. RSA key fingerprint is 97:1d:cb:bf:b3:54:9f:54:12:8f:2f:3a:aa:b9:10:7c. Are you sure you want to continue connecting (yes/no)? yes <enter> Warning: Permanently added 'hpweb,192.168.0.70' (RSA) to the list of known hosts. Password:

  40. Public Key Exchange: Host setup cd .ssh scp –p eilat:/$PWD/id_dsa.pub authorized_keys <Generate a public key on second host> cat id_dsa.pub >> authorized_keys chmod 644 authorized_keys <optional depending on umask> scp –p authorized_keys eilat:/$PWD

  41. Public Key Exchange: Host setup ls –la before and after -rw-r----- 1 root sys 600 Jun 2 09:03 authorized_keys -rw-r----- 1 root sys 2020 Nov 21 2004 id.dat -rw------- 1 root sys 668 Apr 26 04:56 id_dsa -rw-r--r-- 1 root sys 600 Apr 26 04:56 id_dsa.pub -rw-r--r-- 1 root sys 3339 May 8 00:34 known_hosts -rw------- 1 root sys 1024 Feb 13 2004 prng_seed [8494#] cat id_dsa.pub >> authorized_keys Thu Jun 2 14:20:20 2005:/root/.ssh -rw-r----- 1 root sys 1200 Jun 2 09:21 authorized_keys -rw-r----- 1 root sys 2020 Nov 21 2004 id.dat -rw------- 1 root sys 668 Apr 26 04:56 id_dsa -rw-r--r-- 1 root sys 600 Apr 26 04:56 id_dsa.pub -rw-r--r-- 1 root sys 3339 May 8 00:34 known_hosts -rw------- 1 root sys 1024 Feb 13 2004 prng_seed

  42. Public Key Exchange: Host setup scp –p authorized_keys eilat:/$PWD You will be prompted for a password. Try it again, you should not be prompted for a password. DONE! 

  43. Public Key Exchange: Summary • Permissions are crucial. • If prompted for a passwordwhen you think you should not be prompted, go back and check permissions

  44. Questions & (Hopefully) Answers

  45. More Information • http://forums.itrc.hp.com • http://docs.hp.com • http://itrc.hp.com • http://www.hp.com/go/software

More Related